Microsoft has issued a patch to fix a zero-day exploit in Windows that was being deployed in a highly targeted attack in Eastern Europe, according to ESET researchers. ESET reported the exploit to the Microsoft Security Response Center, which fixed the vulnerability and released a patch.
“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft wrote in the vulnerability announcement.
An attacker would first need to log on to the system in order to exploit this vulnerability (CVE-2019-1132). If successful, “an attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.”
Researchers witnessed, for the first time, the cyber-criminal group using a zero-day attack as part of a campaign. They have attributed the activity to the Buhtrap advanced persistent threat (APT) and cyber-criminal group who have been conducting espionage operations in Eastern Europe and Central Asia for several years.
Known for targeting financial institutions and businesses in Russia, the Buhtrap group has been active since late 2015, though researchers detected a notable change to the profile of the group’s traditional targets.
“It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in target occurred before the source code leaked, we assessed with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in the targeting of governmental institutions,” says Jean-Ian Boutin, head of threat research at ESET.
“It is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” he added.